The DNS agent has the following notes:
The high availability fire drill detects discrepancies between the VCS configuration and the underlying infrastructure on a node; discrepancies that might prevent a service group from going online on a specific node.
For DNS resources, the high availability drill performs the following, it:
For more information about using the high availability fire drill see the Veritas Cluster Server User's Guide.
Depending on the existence of the Online lock file and the defined Resource Records (RR), you get different status messages from the Monitor function.
Take the former Veritas corporate web server as an example. A person using a web browser specifies the URL www.veritas.com to view the Veritas Web page. Where www.veritas.com maps to the canonical name mtv.veritas.com, which is a host in Mountain View running the web server. The browser, in turn, retrieves the IP address for the web server by querying the domain name servers. If VCS One fails the web server for www.veritas.com from Mountain View to Heathrow, the domain name servers must be updated with the new canonical name mapping. This update occurs so that the web browsers are directed to Heathrow instead of Mountain View. The DNS agent should update the name server to change the mapping of www.veritas.com. From mtv.veritas.com to the canonical name of the standby system in Heathrow, hro.veritas.com, in case of a failover.
The DNS agent expects that the zone's allow-update field contains the IP address for the hosts that can dynamically update the DNS records. This functionality is default for the DNS agent. Since a competent black hat can, however, spoof IP addresses, consider TSIG as an alternative.
TSIG (Transaction Signature) as specified in RFC 2845, is a shared key message authentication mechanism, which is available in DNS. A TSIG key provides the means to authenticate and verify the validity of exchanged DNS data. It uses a shared secret key between a resolver and either one or two servers to provide security.
The DNS agent expects that the zone's allow-update field contains the IP address for the hosts that can dynamically update the DNS records. This functionality is default for the DNS agent. Since a competent black hat can, however, spoof IP addresses, consider TSIG as an alternative.
TSIG (Transaction Signature) as specified in RFC 2845, is a shared key message authentication mechanism, which is available in DNS. A TSIG key provides the means to authenticate and verify the validity of exchanged DNS data. It uses a shared secret key between a resolver and either one or two servers to provide security.
In the following example, the domain is example.com.
To use secure updates using TSIG keys
dnssec-keygen
command with the HMAC-MD5 option to generate a pair of files that contain the TSIG key:
cat
command, the contents of the file resembles:
Copy both the private and public key files on to the node. A good location is in the /var/tsig/ directory.